标签:stat loopback ipsec ping manage accept net loop res
SRX系列
set prefix-list manager-ip 172.16.2.18/32
set prefix-list manager-ip 10.0.25.128/26 //在前缀列表中定义一组允许的主机地址
set manager-ip term block_non_manager from source-address 0.0.0.0/0
set manager-ip term block_non_manager from source-prefix-list manager-ip except
set manager-ip term block_non_manager from protocol tcp
set manager-ip term block_non_manager from destination-port ssh
set manager-ip term block_non_manager from destination-port https
set manager-ip term block_non_manager from destination-port telnet
set manager-ip term block_non_manager from destination-port http
set manager-ip term block_non_manager then discard//配置防火墙的filter,拒绝来自除在前缀列表中定义的 IP 地址之外的所有 IP 地址的流量
set manager-ip term accept_everything_else then accept//配置接受所有其他流量的默认c策略
set family inet filter input manager-ip//在对应端口下调用该策略,如果有 IPsec 流量,或者 OSPF、RIP、BGP 或在设备接口处终止的任何其他流量,则必须将接口的 IP 地址添加到前缀列表中。
EX系列,直接使用ACL,并在loopback口调用即可
set firewall family inet filter local_acl term terminal_access from source-address 192.168.1.0/24
set firewall family inet filter local_acl term terminal_access from protocol tcp
set firewall family inet filter local_acl term terminal_access from port ssh
set firewall family inet filter local_acl term terminal_access from port telnet
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from port ssh
set firewall family inet filter local_acl term terminal_access_denied from port telnet
set firewall family inet filter local_acl term terminal_access_denied then log
set firewall family inet filter local_acl term terminal_access_denied then reject
set firewall family inet filter local_acl term default-term then accept
set interfaces lo0 unit 0 family inet filter input local_acl
juniper各类设备限制登录地址
标签:stat loopback ipsec ping manage accept net loop res
原文地址:https://www.cnblogs.com/juanxu/p/14102803.html
